Clear mentor entry of the user when is expertise is empty.

[platal.git] / modules / carnet.php

diff --git a/modules/carnet.php b/modules/carnet.php
index 4dbb162..cf1cd16 100644 (file)
--- a/modules/carnet.php
+++ b/modules/carnet.php
@@ -127,6 +127,9 @@ class CarnetModule extends PLModule
         $promo_sortie = $res->fetchOneCell();
         $page->assign('promo_sortie', $promo_sortie);
 
+        if ($action) {
+            S::assert_xsrf_token();
+        }
         switch ($action) {
           case 'add_promo':
           case 'del_promo':
@@ -142,13 +145,20 @@ class CarnetModule extends PLModule
             break;
         }
 
-        if (Env::has('subs'))       $watch->_subs->update('sub');
+        if (Env::has('subs')) {
+            S::assert_xsrf_token();
+            $watch->_subs->update('sub');
+        }
+
         if (Env::has('flags_contacts')) {
+            S::assert_xsrf_token();
             $watch->watch_contacts = Env::b('contacts');
             $watch->saveFlags();
         }
+
         if (Env::has('flags_mail')) {
-            $watch->watch_mail     = Env::b('mail');
+            S::assert_xsrf_token();
+            $watch->watch_mail = Env::b('mail');
             $watch->saveFlags();
         }
 
@@ -198,6 +208,11 @@ class CarnetModule extends PLModule
         $uid  = S::v('uid');
         $user = Env::v('user');
 
+        // For XSRF protection, checks both the normal xsrf token, and the special RSS token.
+        // It allows direct linking to contact adding in the RSS feed.
+        if (Env::v('action') && Env::v('token') !== S::v('core_rss_hash')) {
+            S::assert_xsrf_token();
+        }
         switch (Env::v('action')) {
             case 'retirer':
                 if (is_numeric($user)) {